From 1d8facfe1cc640ecc5d5db8365b0134f7c8726d6 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 22 Apr 2021 11:37:02 -0400
Subject: [PATCH] Prevent admin self-deletion in API

Ref T319
---
 account.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/account.go b/account.go
index b4abca7..b93168f 100644
--- a/account.go
+++ b/account.go
@@ -1158,7 +1158,11 @@ func handleUserDelete(app *App, u *User, w http.ResponseWriter, r *http.Request)
 		return impart.HTTPError{http.StatusBadRequest, "Confirmation username must match your username exactly."}
 	}
 
-	// TODO: prevent admin delete themselves?
+	// Check for account deletion safeguards in place
+	if u.IsAdmin() {
+		return impart.HTTPError{http.StatusForbidden, "Cannot delete admin."}
+	}
+
 	err := app.db.DeleteAccount(u.ID)
 	if err != nil {
 		log.Error("user delete account: %v", err)